GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions
botserver/SECURITY_TASKS.md
Rodrigo Rodriguez (Pragmatismo) c67aaa677a feat(security): Complete security infrastructure implementation 
SECURITY MODULES ADDED:
- security/auth.rs: Full RBAC with roles (Anonymous, User, Moderator, Admin, SuperAdmin, Service, Bot, BotOwner, BotOperator, BotViewer) and permissions
- security/cors.rs: Hardened CORS (no wildcard in production, env-based config)
- security/panic_handler.rs: Panic catching middleware with safe 500 responses
- security/path_guard.rs: Path traversal protection, null byte prevention
- security/request_id.rs: UUID request tracking with correlation IDs
- security/error_sanitizer.rs: Sensitive data redaction from responses
- security/zitadel_auth.rs: Zitadel token introspection and role mapping
- security/sql_guard.rs: SQL injection prevention with table whitelist
- security/command_guard.rs: Command injection prevention
- security/secrets.rs: Zeroizing secret management
- security/validation.rs: Input validation utilities
- security/rate_limiter.rs: Rate limiting with governor crate
- security/headers.rs: Security headers (CSP, HSTS, X-Frame-Options)

MAIN.RS UPDATES:
- Replaced tower_http::cors::Any with hardened create_cors_layer()
- Added panic handler middleware
- Added request ID tracking middleware
- Set global panic hook

SECURITY STATUS:
- 0 unwrap() in production code
- 0 panic! in production code
- 0 unsafe blocks
- cargo audit: PASS (no vulnerabilities)
- Estimated completion: ~98%

Remaining: Wire auth middleware to handlers, audit logs for sensitive data
2025-12-28 19:29:18 -03:00

13 KiB
Raw Blame History

Security Audit Tasks - botserver

Priority: CRITICAL Auditor Focus: Rust Security Best Practices Last Updated: All major security infrastructure completed

COMPLETED - Security Infrastructure Added

SQL Injection Protection DONE

Module: src/security/sql_guard.rs

  • Table whitelist validation (validate_table_name())
  • Safe query builders (build_safe_select_query(), build_safe_count_query(), build_safe_delete_query())
  • SQL injection pattern detection (check_for_injection_patterns())
  • Order column/direction validation
  • Applied to db_api.rs handlers

Command Injection Protection DONE

Module: src/security/command_guard.rs

  • Command whitelist (only allowed: pdftotext, pandoc, nvidia-smi, clamscan, etc.)
  • Argument validation (validate_argument())
  • Path traversal prevention (validate_path())
  • Secure wrappers: safe_pdftotext_async(), safe_pandoc_async(), safe_nvidia_smi()
  • Applied to:
    • src/nvidia/mod.rs - GPU monitoring
    • src/core/kb/document_processor.rs - PDF/DOCX extraction
    • src/security/antivirus.rs - ClamAV scanning

Secrets Management DONE

Module: src/security/secrets.rs

  • SecretString - Zeroizing string wrapper with redacted Debug/Display
  • SecretBytes - Zeroizing byte vector wrapper
  • ApiKey - Provider-aware API key storage with masking
  • DatabaseCredentials - Safe connection string handling
  • JwtSecret - Algorithm-aware JWT secret storage
  • SecretsStore - Centralized secrets container
  • redact_sensitive_data() - Log sanitization helper
  • is_sensitive_key() - Key name detection

Input Validation DONE

Module: src/security/validation.rs

  • Email, URL, UUID, phone validation
  • Username/password strength validation
  • Length and range validation
  • HTML/XSS sanitization
  • Script injection detection
  • Fluent Validator builder pattern

Rate Limiting DONE

Module: src/security/rate_limiter.rs

  • Global rate limiter using governor crate
  • Per-IP rate limiting with automatic cleanup
  • Configurable presets: default(), strict(), relaxed(), api()
  • Middleware integration ready
  • Applied to main router in src/main.rs

Security Headers DONE

Module: src/security/headers.rs

  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection
  • Strict-Transport-Security (HSTS)
  • Referrer-Policy
  • Permissions-Policy
  • Cache-Control
  • CSP builder for custom policies
  • Applied to main router in src/main.rs

CORS Configuration DONE (NEW)

Module: src/security/cors.rs

  • Hardened CORS configuration (no more wildcard * in production)
  • Environment-based configuration via CORS_ALLOWED_ORIGINS
  • Development mode with localhost origins allowed
  • Production mode with strict origin validation
  • CorsConfig builder with presets: production(), development(), api()
  • OriginValidator for dynamic origin checking
  • Pattern matching for subdomain wildcards
  • Dangerous pattern detection in origins
  • Applied to main router in src/main.rs

Authentication & RBAC DONE (NEW)

Module: src/security/auth.rs

  • Role-based access control (RBAC) with Role enum
  • Permission system with Permission enum
  • AuthenticatedUser with:
    • User ID, username, email
    • Multiple roles support
    • Bot and organization access control
    • Session tracking
    • Metadata storage
  • AuthConfig for configurable authentication:
    • JWT secret support
    • API key header configuration
    • Session cookie support
    • Public and anonymous path configuration
  • AuthError with proper HTTP status codes
  • Middleware functions:
    • auth_middleware - Main authentication middleware
    • require_auth_middleware - Require authenticated user
    • require_permission_middleware - Check specific permission
    • require_role_middleware - Check specific role
    • admin_only_middleware - Admin-only access
  • Synchronous token/session validation (ready for DB integration)

Panic Handler DONE (NEW)

Module: src/security/panic_handler.rs

  • Global panic hook (set_global_panic_hook())
  • Panic-catching middleware (panic_handler_middleware)
  • Configuration presets: production(), development()
  • Safe 500 responses (no stack traces to clients)
  • Panic logging with request context
  • catch_panic() and catch_panic_async() utilities
  • PanicGuard for scoped panic tracking
  • Applied to main router in src/main.rs

Path Traversal Protection DONE (NEW)

Module: src/security/path_guard.rs

  • PathGuard with configurable validation
  • PathGuardConfig with presets: strict(), permissive()
  • Path traversal detection (.. sequences)
  • Null byte injection prevention
  • Hidden file blocking (configurable)
  • Extension whitelist/blacklist
  • Maximum path depth and length limits
  • Symlink blocking (configurable)
  • Safe path joining (join_safe())
  • Safe canonicalization (canonicalize_safe())
  • Filename sanitization (sanitize_filename())
  • Dangerous pattern detection

Request ID Tracking DONE (NEW)

Module: src/security/request_id.rs

  • Unique request ID generation (UUID v4)
  • Request ID extraction from headers
  • Correlation ID support
  • Configurable header names
  • Tracing span integration
  • Response header propagation
  • Request sequence counter
  • Applied to main router in src/main.rs

Error Message Sanitization DONE (NEW)

Module: src/security/error_sanitizer.rs

  • SafeErrorResponse with standard error format
  • Factory methods for common errors
  • ErrorSanitizer with sensitive data detection
  • Automatic redaction of:
    • Passwords, tokens, API keys
    • Connection strings
    • File paths
    • IP addresses
    • Stack traces
  • Production vs development modes
  • Request ID inclusion in error responses
  • sanitize_for_log() for safe logging

Zitadel Authentication Integration DONE (NEW)

Module: src/security/zitadel_auth.rs

  • ZitadelAuthConfig with environment-based configuration
  • ZitadelAuthProvider for token authentication:
    • Token introspection with Zitadel API
    • JWT decoding fallback
    • User caching with TTL
    • Service token management
  • ZitadelUser to AuthenticatedUser conversion
  • Role mapping from Zitadel roles to RBAC roles
  • Bot access permission checking via Zitadel grants
  • API key validation
  • Integration with existing AuthConfig and AuthenticatedUser

COMPLETED - Panic Vector Removal

1. Remove All .unwrap() Calls DONE

Original count: ~416 occurrences Current count: 0 in production code (108 remaining in test code - acceptable)

Changes made:

  • Replaced .unwrap() with .expect("descriptive message") for compile-time constants (Regex, CSS selectors)
  • Replaced .unwrap() with .unwrap_or_default() for optional values with sensible defaults
  • Replaced .unwrap() with ? operator where error propagation was appropriate
  • Replaced .unwrap() with if let / match patterns for complex control flow
  • Replaced .unwrap() with .map_or() for Option comparisons

2. .expect() Calls - Acceptable Usage

Current count: ~84 occurrences (acceptable for compile-time verified patterns)

Acceptable uses of .expect():

  • Static Regex compilation: Regex::new(r"...").expect("valid regex")
  • CSS selector parsing: Selector::parse("...").expect("valid selector")
  • Static UUID parsing: Uuid::parse_str("00000000-...").expect("valid static UUID")
  • Rhai syntax registration: .register_custom_syntax().expect("valid syntax")
  • Mutex locking: .lock().expect("mutex not poisoned")
  • SystemTime operations: .duration_since(UNIX_EPOCH).expect("system time")

3. panic! Macros DONE

Current count: 1 (in test code only - acceptable)

The only panic! is in src/security/panic_handler.rs test code to verify panic catching works.

4. unsafe Blocks VERIFIED

Current count: 0 actual unsafe blocks

The 5 occurrences of "unsafe" in the codebase are:

  • CSP policy strings containing 'unsafe-inline' and 'unsafe-eval' (not Rust unsafe)
  • Error message string containing "unsafe path sequences" (not Rust unsafe)

🟡 MEDIUM - Still Needs Work

5. Full RBAC Integration

Status: Infrastructure complete, needs handler integration

Action:

  • Wire auth_middleware to protected routes
  • Implement permission checks in individual handlers
  • Add database-backed user/role lookups
  • Integrate with existing session management

6. Logging Audit

Status: error_sanitizer module provides tools, needs audit

Action:

  • Audit all log::* calls for sensitive data
  • Apply sanitize_for_log() where needed
  • Use redact_sensitive_data() from secrets module

🟢 LOW - Backlog

7. Database Connection Pool Hardening

  • Set max connections
  • Implement connection timeouts
  • Add health checks

8. Memory Limits

  • Set max request body size
  • Limit file upload sizes
  • Implement streaming for large files

Verification Commands

# Check for unwrap
grep -rn "unwrap()" src --include="*.rs" | wc -l

# Check for expect
grep -rn "\.expect(" src --include="*.rs" | wc -l

# Check for panic
grep -rn "panic!" src --include="*.rs" | wc -l

# Check for unsafe
grep -rn "unsafe" src --include="*.rs"

# Check for SQL injection vectors
grep -rn "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" src --include="*.rs"

# Check for command execution
grep -rn "Command::new\|std::process::Command" src --include="*.rs"

# Run security audit
cargo audit

# Check dependencies
cargo deny check

Security Modules Reference

Module Purpose Status
security/sql_guard.rs SQL injection prevention Done
security/command_guard.rs Command injection prevention Done
security/secrets.rs Secrets management with zeroizing Done
security/validation.rs Input validation utilities Done
security/rate_limiter.rs Rate limiting middleware Done
security/headers.rs Security headers middleware Done
security/cors.rs CORS configuration Done
security/auth.rs Authentication & RBAC Done
security/panic_handler.rs Panic catching middleware Done
security/path_guard.rs Path traversal protection Done
security/request_id.rs Request ID tracking Done
security/error_sanitizer.rs Error message sanitization Done
security/zitadel_auth.rs Zitadel authentication integration Done

Acceptance Criteria

  • SQL injection protection with table whitelist
  • Command injection protection with command whitelist
  • Secrets management with zeroizing memory
  • Input validation utilities
  • Rate limiting on public endpoints
  • Security headers on all responses
  • 0 .unwrap() calls in production code (tests excluded) ACHIEVED
  • .expect() calls acceptable (compile-time verified patterns only)
  • 0 panic! macros in production code ACHIEVED
  • 0 unsafe blocks (or documented justification) ACHIEVED
  • cargo audit shows 0 vulnerabilities
  • CORS hardening (no wildcard in production) NEW
  • Panic handler middleware NEW
  • Request ID tracking NEW
  • Error message sanitization NEW
  • Path traversal protection NEW
  • Authentication/RBAC infrastructure NEW
  • Zitadel authentication integration NEW
  • Full RBAC handler integration (infrastructure ready)

Current Security Audit Score

✅ SQL injection protection      - IMPLEMENTED (table whitelist in db_api.rs)
✅ Command injection protection  - IMPLEMENTED (command whitelist in nvidia, document_processor, antivirus)
✅ Secrets management            - IMPLEMENTED (SecretString, ApiKey, DatabaseCredentials)
✅ Input validation              - IMPLEMENTED (Validator builder pattern)
✅ Rate limiting                 - IMPLEMENTED (integrated with botlib RateLimiter + governor)
✅ Security headers              - IMPLEMENTED (CSP, HSTS, X-Frame-Options, etc.)
✅ CORS hardening                - IMPLEMENTED (environment-based, no wildcard in production)
✅ Panic handler                 - IMPLEMENTED (catches panics, returns safe 500)
✅ Request ID tracking           - IMPLEMENTED (UUID per request, tracing integration)
✅ Error sanitization            - IMPLEMENTED (redacts sensitive data from responses)
✅ Path traversal protection     - IMPLEMENTED (PathGuard with validation)
✅ Auth/RBAC infrastructure      - IMPLEMENTED (roles, permissions, middleware)
✅ Zitadel integration           - IMPLEMENTED (token introspection, role mapping, bot access)
✅ cargo audit                   - PASS (no vulnerabilities)
✅ rustls-pemfile migration      - DONE (migrated to rustls-pki-types PemObject API)
✅ Dependencies updated          - hyper-rustls 0.27, rustls-native-certs 0.8
✅ No panic vectors              - DONE (0 production unwrap(), 0 production panic!)
⏳ RBAC handler integration      - Infrastructure ready, needs wiring

Estimated completion: ~98%

Remaining Work Summary

  • Wire authentication middleware to protected routes in handlers
  • Connect Zitadel provider to main router authentication flow
  • Audit log statements for sensitive data exposure

cargo audit Status

  • No security vulnerabilities found
  • 2 warnings for unmaintained rustls-pemfile (transitive from AWS SDK and tonic/qdrant-client)
  • These are informational warnings, not security issues